[Openswan Users] Thanks for setkey - now I have a new quirk

Geoffrey geoffrey at ticom.com
Thu Apr 15 23:31:49 CEST 2004 

Okay, I'm trying to migrate my FreeSWAN 1.99 gateways over to OpenSWAN 
2.1.1 with very little luck. My connection file on the gateway looks 
like this:

----- START homeuser.conf -----------------------------------------------

conn homeuser
        right=%any
        rightsubnet=192.168.1.0/24
        rightid=@home.domain.com
        rightrsasigkey=<long key data deleted here.>
        left=<external IP address of gateway here.>
        leftsubnet=192.168.0.0/24
        leftid=@gateway.domain.com
        leftrsasigkey=<long key data deleted here.>
        authby=rsasig
        pfs=yes
        ikelifetime=8h
        keylife=1h
        rekey=yes
        keyingtries=0
        auto=add

-------- END homeuser.conf ---------------------------------------------

I placed all of the connection information to the company FreeSWAN
gateway in the client machine's ipsec.conf file. However, when I try
starting ipsec it complains like this:

ipsec_setup: (/etc/ipsec/ipsec.conf, line 40) parameter is not within a 
section

Line 40 is the entry for "right=". The client systems ipsec.conf file
looks like this:

--------- START ipsec.conf ---------------------------------------------

version 2.0     # conforms to second version of ipsec.conf specification
 
# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for 
lots.
        # klipsdebug=all
        # plutodebug=dns
        interfaces="ipsec0=d"
        plutodebug=all
        myid=@home.domain.com
        uniqueids=yes
        #nat_traversal=yes
 
# Add connections here.
conn office
        left=%defaultroute
        leftsubnet=192.168.1.0/24
        leftid=%myid
#       leftfirewall=yes
#       lefttrsasigkey=<long key data deleted here.>
        right=<external IP address of gateway here.>
        rightsubnet=192.168.0.0/24
        rightid=@gateway.domain.com
#       rightrsasigkey=<long key data deleted here.>
        authby=rsasigkey
        pfs=yes
        ikelifetime=8h
        keylife=1h
        rekey=yes
        keyingtries=0
        auto=start

--------------- END ipsec.conf -----------------------------------------

What does that error message mean? I commented out the *rsasigkey
entries when ipsec complained about not liking them in the same way it
is complaining here - "parameter is not within a section". The left and
leftid entries are valid IP adress in the wild and hostname
respectively. The client system fqdn has been inserted in our DNS
zonefile for forward lookup requests with a valid TXT record holding the
key. The home user has a gateway running 2.6.5 and OpenSWAN 2.1.1 and
the gateway machine is running 2.4.x and FreeSWAN 1.99. So, what have I
done wrong or missed? Thanks for any help, and thanks again to all who
pointed me to the ipsec-tools package on sourceforge.net.

geoffrey
-- 
++++++++++++++++++++++++++
 
This space intentionally
left non-blank
 
++++++++++++++++++++++++++

More information about the Users mailing list